Authenticating users before allowing access to secure computer systems and websites is crucial. Online services such as banking, bill payment, social networking and e-commerce utilize ever increasing amounts of personal and financial user data online. Identity thieves and other malicious parties use a wide variety of techniques to attempt to gain unauthorized access to the accounts of innocent parties to commit financial fraud, obtain personal information and otherwise harm the interests of legitimate account owners and service providers. Properly authenticating users attempting to access online services and the like protects against such fraud, whereas insufficient authentication creates vulnerabilities.
Password authentication, in which the only authentication factor a user needs to provide is a password, is relatively weak. The types of passwords commonly utilized are fairly easy to crack, whereas strong passwords are difficult for users to remember and hence are rarely used at all, or else are written down in accessible locations. These problems are compounded by the number of separate password authenticated accounts most users need to maintain. For these reasons, many authentication systems extend password authentication schemes by requiring one or more additional factor(s) for added security. In multifactor authentication, the user must present multiple authentication factors of different types to access a service. For example, in two-factor authentication, a user must provide two factors, such as something the user knows (e.g., a password or PIN) and something the user has, which is referred to as a possession factor. Examples of possession factors include a onetime passcode generated by a registered personal smartphone, a hardware token generated random number, a onetime pad, a magnetic stripe card, etc. In general, multifactor authentication is much harder to crack than password only authentication.
Unfortunately the possession factor (the thing the user has) may be lost, misplaced, stolen, damaged or destroyed. Without the possession factor, users cannot connect to their authentication protected systems, in which case they lose access to their accounts and data. Some systems allow users to reset their possession factor credentials by answering challenge questions provided when the account was created (e.g., what is your mother's maiden name, zip code, city of birth, etc.). These are referred to as Knowledge Based Authentication (KBA) questions. However, the answers to conventional KBA questions can be guessed or learned by fraudulent parties relatively easily, for example by reviewing social networking sites and public records. Some systems attempt to validate users by automatically creating KBA questions based on the account the user tries to recover (e.g., when was the account created, whom do you email most often, etc.). As with KBA questions selected by users, system created KBA questions can generally be guessed based on publicly available information. Allowing users to reset their possession factor credentials through these insecure bypass mechanisms undermines the security benefit provided by the possession factor in the first place.
It would be desirable to address these issues.